[Pkg-xfce-devel] Bug#679872: lightdm: No access control for lightdm's system bus

Yair Yarom irush at cs.huji.ac.il
Mon Jul 2 07:51:54 UTC 2012 

Package: lightdm
Version: 1.2.2-1
Severity: normal

Dear Maintainer,

It appears everyone has access to lightdm's system bus, which means
anyone with remote or local access can cause the seat to change user,
lock screen or switch to the greeter.

I.e. the following commands can be executed by any user
dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToUser string:user1 string:

dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToGreeter

dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.Lock

On a multiuser or multiseat environment, this might be problematic. I
think it should be limited to the active session and/or current seat. 

Regards,
    Yair.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.5-aufs-1 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lightdm depends on:
ii  adduser                3.113+nmu3
ii  consolekit             0.4.5-3
ii  dbus                   1.5.12-1
ii  debconf [debconf-2.0]  1.5.43
ii  libc6                  2.13-33
ii  libglib2.0-0           2.32.3-1
ii  libpam0g               1.1.3-7.1
ii  libxcb1                1.8.1-1
ii  libxdmcp6              1:1.1.1-1
ii  lightdm-gtk-greeter    1.1.6-1
ii  lightdm-qt-greeter     1.0.11-1

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.6+13

Versions of packages lightdm suggests:
ii  accountsservice  0.6.15-4

-- Configuration Files:
/etc/init.d/lightdm [Errno 2] No such file or directory: u'/etc/init.d/lightdm'
/etc/lightdm/lightdm.conf changed [not included]
/etc/pam.d/lightdm changed [not included]

-- debconf information:
  lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm

More information about the Pkg-xfce-devel mailing list